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Bad guys are everywhere, 
good guys are somewhere! 


NSA/CSS Threat Operations Center (NTOC) 
NTOC Technology Development 
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(U) NTOC 


• (U//FOUO) Operates under both SIGINT and 
Information Assurance authorities 

- Leverage SIGINT, IA, OSINT 

• (U//FOUO) Coordinates Integrated Cyber Operations 

V2: Analysis 
V3: Operations 

V4: Technology Development Support 
V45: Technology Development Division 
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(U) V45- Projects 


• (U//FOUO) TREASUREMAP 

^ £p iP - Massive Internet mapping, exploration, and 

analysis engine 

/ • (U//FOUO) PACKAGEDGOODS 

- Globally dispersed traceroute generators 

• (U) Other Projects 
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(U) What is TREASUREMAP? 


(U//FOUO) Capability for building a near real-time, interactive 
map of the global internet 

Map the entire Internet - Any device*, anywhere, all the time 
(U//FOUO) We enable a wide range of missions: 


Cyber Situational Awareness - your own network plus adversaries' 
Common Operation Pictures (COP) 

Computer Attack/Exploit Planning / Preparation of the Environment 
Network Reconnaissance 
Measures of Effectiveness (MOE) 

(* limited only by available data) 
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(U) TREASUREMAP 



• (U//FOUO) Continual generation of global Internet 
map, IPv4 and IPv6 (limited) 


(U//FOUO) Focus on logical layers (router and 
autonomous system), but touches physical, data 
link, and application layers 



(U) Its Huge. 
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(U) TREASUREMAP as an Enable r 


We 
enable 


Persona Layer 


Cyber Persona Layer 


mission 



Physical Network Layer 


Geographical Layer 
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(U) Current State 



(U//FOUO) Data Sources 

- Open Source Intelligence (OS INT) * & Academic 

- Commercially Acquired 

- SIGINT 

- Information Assurance 

(U//FOUO) Available on multiple networks to many user groups 

- NSAnet -TREASU REMAP (TM) 

• 5- Eyes partners 

• JWICS users - USG IC 

- SIPRNet - USG IC /DoD - TREASUREMAP-SIPR (TM-S) 

(U) New capabilities delivered every 90 days 

(U) 30+ Gigabytes of additional data added and replaced per day 


(* OSINT - Open Source / Publicly available Internet M eta- Data) 
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(U) OSINT, Commercial & Academic 


(U//FOUO) BGP 

- Gives the 300,000 foot view of the Internet 

- Defines routing across Autonomous Systems (AS) 

- Origination of IP address spaces (Prefixes) to AS 

- How the Internet gets knowledge of itself (IP address space) 

- Commericaly purchased Data Sources 
• Akamai, SOCIALSTAMP, SEASIDEFERRY 

Open Source 

Public BGP, IXP (RIPE), APNIC, ROUTEVIEWS, CERNET 
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(U) OSINT, Commercial & Academic 


(U//FOUO) Trace routes 

- Router -to- router links to targeted IP addresses 

- Creates links between networking devices (routers) 

- TM ingests approx. -16-18 million traceroutes daily 

- Gives the 300 foot view, router-to-router infrastructure 

- Data Sources 

• ARK - CAIDA's Archipelago Project * 

• PACKAGEDGOODS * 

• SOCIALSTAMP 

• R U STI C BAG GAG E 

• User Input 
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(U) OSINT, Commercial & Academic 


(U) Registries - Information on netblock and AS ownership 


(U) DNS - IP address to domain name matchi 


(U) Operating System (OS) Fingerprints 

- Software and Operating System characteristics of networked 
devices 

30-50 million unique IP addresses represented per day 
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(U//FOUO) Traceroutes: PACKEGEDGOODS 



nrAra nr. 


(U//FOUO) Collects "network measurement" data, on 
(U) Random traceroutes and user requested 


ic internet 


(U//FOUO) PG-GTR 

- Currently using -700 public traceroute sites to perform operations 

- High target (full IP addresses) 

- Capable of -4K IPv4 and IPv6 traceroutes daily 
(U//FOUO) PG-Server 

- High volume: -6.5 million traceroutes per day 

- Low targeting : I Pv4 124 netbl ocks or higher 

- Can do whole ASes, Country, Netblocks 

- 13 covered servers in unwitting data centers around the globe 

• Asia: Malaysia, Singapore, Taiwan, China (2), Indonesia, Thailand, India 

• Europe & Russia: Poland, Russia, Germany, Ukraine, Latvia, Denmark 

• Africa: South Africa 

• South America: Argentina, Brazil 
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(U) Coming Soon! 

(U//FOUO) PG-Server2.0 

- Tasking of full IP address 

- Choice of traceroute types: 
• ICMP 


ICMP Paris 

TCP 

UDP 


- Choice of PG-SVR (for source of traceroute) 

- Auto- refresh 
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(U) Traceroutes - CAIDA 


nr/:HL rrJiv af 


• (U) University of California, San Diego 

- Cooperative Association for Internet Data Analysis 

- Archipelago measurement platform 

• (U//FOUO) TM data source: ARK 

• (U) High volume: -10 million traceroutes per day 

• (U) Random targeting (/24 netblock, BGP advertised) 

• (U) 44 Locations: Asia (5), Europe (15), Africa (2), North 
America (18), South America (2), Oceania (2) 
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(U) Internal Sources (Protected sourc^x 


(U//FOUO) PACKAGEDGOODS - NTOC 

• (S) Clandestine traceroute and DNS processor 
(S//SI//REL) BLACKPEARL - NAC 

• SIGINT session 5-tupel, identified routers, routing protocols, SIGINT access points, 
(inferred SIGINT access points) 

(S//SI//REL) LEAKYFAUCET - NAC 

• Flow repository of 802.11 WiFi IP addresses and clients via STUN data 
(S//SI//REL) HYDROCASTLE - /INSCOM 

• 802.11 configuration data extracted from CNE activity in specific locations 

• (Requires HYDROCASTLE account) 
(S//SI//REL) MASTERSHAKE - NAC 

• FORNSAT and WiFi collection data 
(S//SI//REL) S-TRICKLER - NTOC 

• IP address fingerprints and potential vulnerabilities from FORNSAT collection 
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(U) Internal Sources (Protected sourc^ 


(S//SI//REL) TOYGRIPPE - 

• Repository of VPN endpoints 
(S//SI//REL) DISCOROUTE- NA /GCHQ 

• Router configuration files from CNE and passive SIGINT 

• NAC's DISCOROUTE repository 
(TS//SI//REL) VITALAIR2 - 

• Automated scaned IP addresses for TAO known vulnerabilities 
(U//FOUO) IPGeoTrap - NAC 

• Provides geo location services for IP addresses/ranges 
(TS//SI//REL) JOLLYROGER - SSC / 

• Provides metadata that describes the networking environment of TAO- 
implanted Windows PCs 

• (Requires JOLLYROGER account) 
(U//FOUO) TUTELAGE - NTOC 

• Specific alerts from intrusion detection sensors 

• (not currently active) 
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(U) The Whole is Greater 
than the Sum of the Parts 
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BGP 

I Advertisements 


IP 

Geolocation 


OS 
Fingerprints 


Traceroutes 


Router 
Configuration 
Files 




IP Prefix 



Country 

i . ^^^^^H 











IP Address 


Router 


Be 


AS 
Owner 

Ex: 


SIGAD/CASN 

Ex: 


MAC Address 


Netblock 


Ex: 


Domain 
Names 


Network 


Ex: 


Yellow links denotes direct relationships between datatypes. 


For example, we know which AS contains a router because we can relate a router to IP Addresses, 
IP Addresses to IP Prefixes, then IP Prefixes to an AS. 
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(U) Autonomous System Peering - BGP 


IPv4 & IPv6 
Announcements h _ /^y 

i ^s;yi t) 
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IS 


19 additional peers 
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Stub AS: Multi-homed & Single homed 
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Potential Satellite Hops 


Graph simplified for presentation purpose 
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I / 
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(U) ... and Registries 



INTAL-ASM Iptal Telecom 
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Graph simplified for presentation purpose 
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(U) Internet "flow" to a "Network" 



i nr/:Hi ml iv af 
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simplified for presentation purpose 


They're color-coded by country. Big deal. 
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(U) With Traceroute... 



i nn\ra nnlivAF 
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RFC1918 Addresses 
(private IP address space) 



Graph simplified for presentation purpose 


Network Bottlenecks 
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(U) ... and DNS 
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Graph simplified for presentation purpose 
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(U) IP Geolocation Data 



^Correlate IP addresses with country, latitude and longitude (via IPGeoTrap) 
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(S//SI//REL) Bring the SIGINT (AS Level) 



Red Links: 

SIGINT Collection access points between two 

ASes 


1^4 



EPFJML" -IsP-ins, rc. ft'^'j 

MAKKb^P< PakremiT :ad 
l^erqec nbqrP~C_ 


TMME" A? APTMNet, intent 




Red Core Nodes: 
SIGINT Collection access points within A 
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Red Ringed Node: 
Nodes within AS are SIGINT Referenced 


Graph simplified for presentation purp 



TS//SL7REL TO USA, FVEY 



TS//SI//REL TO USA, FVEY 


(S//SI//REL) Traceroute - overlaid with SIGINT 

and other wmsmmmm 



DoD Shields: DoD IP Addresses 



Underscore AS: "Operational" AS - 
12880 


TS//SI//REL TO USA, FVEY 



TS//SI//REL TO USA, FVEY 


(S//SI//REL) Known Devices 


- (S//SI//REL) Sources: DISCOROUTE (NAC router configuration reposito 


(S//SI//REL) Display supporting infrastructure, as configured in router 
configuration files 

• Where router accessed from 

(possible NOC?) ^^^^^^^^^HV 

• servers configured for router 

(NTP, DNS, Radius, TACACS ) ■— ■ 



■\L>.TJ ' IIL'M jlJULJ l.M 
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(S//SI//REL) Known Devices 



i nn\ra nnltVAF 


(S//SI//REL) Sources: DISCO ROUTE (NAC router configuration 
repository) 


- (S//SI//REL) Router data in tables 



I 
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U9j 


(S//SI//REL) Cisco Discovery Protocol (CDPJ) 



LiDJJ Pouter Alport: i Lb- 5 IN - 1: W J 1 



.el: 

akilit Lee: 

twarc "Js re :. on : 
uor£ re lues: 
licita Sort sz 


UbyU4;^UlL 

SLE-SIH-SKOL 

CISCO WS-L^fcU-^ITLi-L 

Par forms' lava 12 Swit ailing 

IJrUe flag 5=t 

1Z.2(2E> SBEZ 


sxcal fort 
t Et lie r^st 0 / £ 


Adir ess 
£9. £0. 


Protocol 
IP 


AS 
If/A. 


Uoui^ry Dat£ Sources 
1J0PWA.Y EP PEL 


^0: OC : 30] 



TS//SI//REL TO USA, FVEY 



TS//SI//REL TO USA, FVEY 


(U//FOUO) 802.11 WiFi Data 



(U//FOUO) Display and correlation of 802.11 wireless 
networks and RFC1918 clients 


(S//SI//REL) Sources 



ROCAS" 
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(U) Communities 

rr 

(S//SI//REL) Individual IP addresses related by a 
common attribute 

TOR router 

Servers (DNS, NTP, SNMP, TACACS, RADIUS) 
Hide IP NG Proxy Servers 

BYZANTINE HADES Infrastructure hosts/infected hosts 

(S//SI//REL) Sources: (Varies) 

Currently TOR router advertisements 


nrAm rr. 
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(U) Country (AS Presence) 
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(U//FOUO) TREASUREMAP Workspace 


nrAm ,nnir*//>.F 


(U//FOUO) Toolbar: Offers access to a variety of commonly used 
functions *^^H 

(U//FOUO) Search Pane: Input search parameters 

(U//FOUO) Advanced Search Options: Preferences for searches 

(U//FOUO) Release my search to PG: Requesting trace routes for 
target IP addresses 

(U//FOUO) Other Searches: Includes Router, DNS, Batch 
IP/MAC and JOLLYROGER 

(U//FOUO) Legend: Contains all of the icons and decorations as 
seen in an active graph 

(U//FOUO) Send Feedback: Provides away to communicate 
questions, comments or problems to the TREASUREMAP team. 
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(U//FOUO) TREASUREMAP Search Items 


1. (U//FOUO) IP Address 

2. (U//FOUO) Routers 

3. (U//FOUO) DNS (FQN) 

4. (U//FOUO) MAC address / 802.11 BSSID / 802.11 SSID 

5. (U//FOUO) IP Prefix / Range (CIDR Notation) 

6. (U//FOUO) Registry Netblock 

7. (U//FOUO) SIGAD and/or Case Notation 

8. (U//FOUO) Country / IP Country Code 

9. (U//FOUO) Autonomous System (AS) Number 

10. (U//FOUO) Free Text 
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(S//SI//REL) User Interface: NAVS -i 

- - ■ 
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(UFOUO) User Interface: Website 
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